Taint-based Dynamic AnalysisCoC Research Day - 9/25/2009Designed at Apple in California;assembled at GeorgiaTech
Dynamic Tainting OverviewCAB Z
Dynamic Tainting Overview1 Assigntaint marksCAB Z
Dynamic Tainting Overview1 Assigntaint marksCAB312Z
Dynamic Tainting Overview1 Assigntaint marks2 Propagatetaint marksCAB312Z
Dynamic Tainting Overview1 Assigntaint marks2 Propagatetaint marksCAB312Z
Dynamic Tainting Overview1 Assigntaint marks3 Checktaint marks2 Propagatetaint marksCAB312Z
Dynamic Tainting Overview1 Assigntaint marks3 Checktaint marks2 Propagatetaint marksCAB312ZCAB312Z3
Dynamic Tainting ApplicationsAttack detection / preventionInformation policy enforcementTestingMemory errorsData lifetime
Dynamic Tainting ApplicationsAttack detection / preventionPrevent stack smashing, SQL injection, buffer overruns, etc.Atta...
Dynamic Tainting ApplicationsInformation policy enforcementensure classified information does not leave the systemAttack de...
Dynamic Tainting ApplicationsTestingCoverage metrics, test data generation heuristic, etc.✔/✘Attack detection / prevention...
Dynamic Tainting ApplicationsAttack detection / preventionInformation policy enforcementTestingData lifetimetrack how long...
Dynamic Tainting ApplicationsAttack detection / preventionInformation policy enforcementTestingMemory errorsDetect illegal...
Dynamic Tainting ApplicationsAttack detection / preventionInformation policy enforcementTestingMemory errorsDetect illegal...
addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. ...
addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. ...
addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. ...
Discover where the last pointer to un-freed memory is lostLeak Detection Overview
Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 ...
Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 ...
Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 ...
Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 ...
Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 ...
Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 ...
addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. ...
46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));delHtab() {15. int i;16. HASHPTR ...
46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));Detecting leaks is easy; fixing th...
46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));Detecting leaks is easy; fixing th...
Leakpoint implementation
Leakpoint implementationPointer to memory area 0x1C93AC0 (16 bytes)allocated:  at malloc  by addhash (hash.c:50)by parser ...
Leakpoint implementationPointer to memory area 0x1C93AC0 (16 bytes)allocated:  at malloc  by addhash (hash.c:50)by parser ...
Leakpoint implementationPointer to memory area 0x1C93AC0 (16 bytes)allocated:  at malloc  by addhash (hash.c:50)by parser ...
Evaluation
EvaluationTransmission
EvaluationTransmissionLocations identified by Leakpoint correspond towhere the leaks were fixed by developers.
EvaluationTransmissionAlso found thousands of leaks in theSPEC INT benchmarksLocations identified by Leakpoint correspond t...
static void processCompletedTasks(tr_web *web) {...task->done_func(web->session, ..., task->done_func_user_data);...evbuff...
OverheadPowerful but expensive50 - 100x overheadsare common• Execution time is completely automated• Developers have to th...
Questions?
Upcoming SlideShare
Loading in …5
×

Taint-based Dynamic Analysis (CoC Research Day 2009)

861 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Taint-based Dynamic Analysis (CoC Research Day 2009)

  1. 1. Taint-based Dynamic AnalysisCoC Research Day - 9/25/2009Designed at Apple in California;assembled at GeorgiaTech
  2. 2. Dynamic Tainting OverviewCAB Z
  3. 3. Dynamic Tainting Overview1 Assigntaint marksCAB Z
  4. 4. Dynamic Tainting Overview1 Assigntaint marksCAB312Z
  5. 5. Dynamic Tainting Overview1 Assigntaint marks2 Propagatetaint marksCAB312Z
  6. 6. Dynamic Tainting Overview1 Assigntaint marks2 Propagatetaint marksCAB312Z
  7. 7. Dynamic Tainting Overview1 Assigntaint marks3 Checktaint marks2 Propagatetaint marksCAB312Z
  8. 8. Dynamic Tainting Overview1 Assigntaint marks3 Checktaint marks2 Propagatetaint marksCAB312ZCAB312Z3
  9. 9. Dynamic Tainting ApplicationsAttack detection / preventionInformation policy enforcementTestingMemory errorsData lifetime
  10. 10. Dynamic Tainting ApplicationsAttack detection / preventionPrevent stack smashing, SQL injection, buffer overruns, etc.Attack detection / preventionInformation policy enforcementTestingMemory errorsData lifetime
  11. 11. Dynamic Tainting ApplicationsInformation policy enforcementensure classified information does not leave the systemAttack detection / preventionInformation policy enforcementTestingMemory errorsData lifetime
  12. 12. Dynamic Tainting ApplicationsTestingCoverage metrics, test data generation heuristic, etc.✔/✘Attack detection / preventionInformation policy enforcementTestingMemory errorsData lifetime
  13. 13. Dynamic Tainting ApplicationsAttack detection / preventionInformation policy enforcementTestingData lifetimetrack how long sensitive data remains in an applicationMemory errorsData lifetime
  14. 14. Dynamic Tainting ApplicationsAttack detection / preventionInformation policy enforcementTestingMemory errorsDetect illegal memory access, leak detection, etc.Memory errorsData lifetime
  15. 15. Dynamic Tainting ApplicationsAttack detection / preventionInformation policy enforcementTestingMemory errorsDetect illegal memory access, leak detection, etc.leak detectionMemory errorsData lifetime
  16. 16. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  17. 17. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  18. 18. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy; fixing them is not
  19. 19. Discover where the last pointer to un-freed memory is lostLeak Detection Overview
  20. 20. Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 , ptr1ptr1 = NULL ➔ ptr1 , ptr3ptr4 = ptr2 + 1 ➔ ptr4 , ptr2Report error if taint mark’s count is zero andmemory has not been freed.1 11Discover where the last pointer to un-freed memory is lostLeak Detection Overview
  21. 21. Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 , ptr1ptr1 = NULL ➔ ptr1 , ptr3ptr4 = ptr2 + 1 ➔ ptr4 , ptr2Report error if taint mark’s count is zero andmemory has not been freed.1 11Discover where the last pointer to un-freed memory is lostLeak Detection Overview# of pointerstainted withthis color
  22. 22. Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 , ptr1ptr1 = NULL ➔ ptr1 , ptr3ptr4 = ptr2 + 1 ➔ ptr4 , ptr2Report error if taint mark’s count is zero andmemory has not been freed.1 11Discover where the last pointer to un-freed memory is lostLeak Detection Overview
  23. 23. Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 , ptr1ptr1 = NULL ➔ ptr1 , ptr3ptr4 = ptr2 + 1 ➔ ptr4 , ptr2Report error if taint mark’s count is zero andmemory has not been freed.21 111 22211 2 2Discover where the last pointer to un-freed memory is lostLeak Detection Overview
  24. 24. Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 , ptr1ptr1 = NULL ➔ ptr1 , ptr3ptr4 = ptr2 + 1 ➔ ptr4 , ptr2Report error if taint mark’s count is zero andmemory has not been freed.21 111 22211 2 2In general propagation follows standard pointer arithmetic rulesDiscover where the last pointer to un-freed memory is lostLeak Detection Overview
  25. 25. Assigntaint marksPropagatetaint marksChecktaint marksptr1 = malloc(...) ➔ ptr1ptr2 = calloc(...) ➔ ptr2ptr3 = ptr1 ➔ ptr3 , ptr1ptr1 = NULL ➔ ptr1 , ptr3ptr4 = ptr2 + 1 ➔ ptr4 , ptr2Report error if taint mark’s count is zero andmemory has not been freed.231 111 22211 2 2In general propagation follows standard pointer arithmetic rulesDiscover where the last pointer to un-freed memory is lostLeak Detection Overview
  26. 26. addhash(char hname[]) {35. int i;36. HASHPTR hptr;37. unsigned int hsum = 0;38. for(i = 0 ; i < strlen(hname) ; i++) {39. sum += (unsigned int) hname[i];40. }41. hsum %= 3001;42. if((hptr = hashtab[hsum]) == (HASHPTR) NULL) {43. hptr = hashtab[hsum] = (HASHPTR) malloc(sizeof(HASHBOX));44. hptr->hnext = (HASHPTR) NULL;45. hptr->hnum = ++netctr;46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));47. sprintf(hptr->hname , "%s" , hname);48. return(1);49. } else {! ...67. }}Detecting leaks is easy
  27. 27. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));delHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}Detecting leaks is easy
  28. 28. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));Detecting leaks is easy; fixing them is, toodelHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}
  29. 29. 46. hptr->hname = (char *) malloc((strlen(hname) + 1) *! ! ! ! ! ! ! ! ! ! sizeof(char));Detecting leaks is easy; fixing them is, toodelHtab() {15. int i;16. HASHPTR hptr , zapptr;17. for(i = 0; i < 3001; i++) {18. hptr = hashtab[i];19. if(hptr != (HASHPTR) NULL) {20. zapptr = hptr ;21. while(hptr->hnext != (HASHPTR) NULL) {22.! ! hptr = hptr->hnext;23.! ! free(zapptr);24.! ! zapptr = hptr ;25.! ! }26.! ! free(hptr);27.! }28. }!29. free(hashtab);30. return;}free(hptr->hname)
  30. 30. Leakpoint implementation
  31. 31. Leakpoint implementationPointer to memory area 0x1C93AC0 (16 bytes)allocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)
  32. 32. Leakpoint implementationPointer to memory area 0x1C93AC0 (16 bytes)allocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)
  33. 33. Leakpoint implementationPointer to memory area 0x1C93AC0 (16 bytes)allocated:  at malloc  by addhash (hash.c:50)by parser (parser.c:210)by readcell (parser.c:34)  by main (main.c:98)  was leaked:   at free   by delHtab (hash.c:28)   by grdcell(grdcell.c:354)   by main (main.c:227)
  34. 34. Evaluation
  35. 35. EvaluationTransmission
  36. 36. EvaluationTransmissionLocations identified by Leakpoint correspond towhere the leaks were fixed by developers.
  37. 37. EvaluationTransmissionAlso found thousands of leaks in theSPEC INT benchmarksLocations identified by Leakpoint correspond towhere the leaks were fixed by developers.
  38. 38. static void processCompletedTasks(tr_web *web) {...task->done_func(web->session, ..., task->done_func_user_data);...evbuffer_free(task->response);tr_free(task->url);tr_free(task);...}static void invokeRequest(void * vreq) {...hash = tr_new0(uint8_t, SHA_DIGEST_LENGTH);memcpy(hash, req->torrent_hash, SHA_DIGEST_LENGTH);tr_webRun(req->session, req->url, req->done_func, hash);...}static void onStoppedResponse(tr_session *session, ..., void *torrent_hash) {dbgmsg(NULL, "got a response ... message");// tr_free(torrent_hash);onReqDone(session);}
  39. 39. OverheadPowerful but expensive50 - 100x overheadsare common• Execution time is completely automated• Developers have to think less
  40. 40. Questions?

×